0

I have an Authorization Server with Spring Security 5. It supports Authorization Code, Authorization Code with PKCE, Implicit Grant and Client Credentials flows from the OAuth 2.0 authentication framework for it's clients. This Spring Security 5 Auth Server is also connected with a database with users information and it's passwords hashing. Currently the Auth user validates users credentials from the login page using the users tables from the database.

Right now I need to setup an AWS Cognito User Pool and use the same users already stored in the database. My intention is to use the Spring Security Auth Server as an OIDC Identity Provider for my user pool in AWS Cognito.

Is this possible?

Kasbah
  • 47
  • 1
  • 10

1 Answers1

0

AWS Cognito can act as an Authorization Server, meaning your apps will get AWS tokens. In this case you add Spring as an OpenID Connect IDP, similar to my blog post which used Okta as an IDP. This could be quite an impactful change though, since you may not be able to make Cognito access tokens contain any custom values.

Alternatively you can do it the other way round, in which case your apps will receive Spring issued tokens. I would expect the integration to basically work, whichever way round you do it, though you could experience some annoyances.

An important factor is how your APIs / back end will identify users from access tokens after this change, since Cognito and Spring will use different subject claims in access tokens. In case relevant, this detailed Curity article discusses migrations and user IDs.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24